Google, facebook, Switzerland – peas in a pod

Today's example of ideas that should never have got beyond the back of
an envelope stage comes from Switzerland: the SwissID.

SuisseID: gone, but unfortunately still remembered

Do not confuse this with the SuisseID, which left the back of the
envelope in 2010, swallowed 20 million CHF of taxpayers' money then
turned belly up last year. The SuisseID was an attempt to create a
legally secure electronic ID. Its physical form was a smartcard or a
USB-stick with a few certificates on it.

To get one you had to fill in a paper application form, take it with
your passport to a post office, who would then confirm that you were who
you were – that vexed question! – post it off then wait a week or two. One
day a registered letter would arrive with the card and then the world
was your oyster: you could fill in your VAT returns online and buy
postage stamps online. Er… that was it.

In the interests of exploring the new world order (and paying my
company's VAT, which you could only do online using a SuisseID) I signed up for this dog's breakfast.
The card cost me 147 CHF, the accreditation of my
existence by the Swiss Post cost me 40 CHF.

I was now a digital citizen of
Switerland with a verified online identity. So for two and a half years
I filled in my VAT returns every quarter online (accessible weekdays and
business hours only!) and bought the odd postage stamp.

With only about three months to go to its normal expiry date the card
decided it didn't love me any more and self-harmed its certificates. The
fee for reissuing a new certificate would be around 100 CHF I seem to
remember. I also seem to remember that the card would have to be renewed
anyway three months later for another 147 CHF.

The now defunct SuisseID smartcard is on my desk still as a reminder of two things: 1) never be
an early adopter; 2) never trust officialdom.

SwissID: the brave new world of data aggregation

The next IT disaster, the SwissID, has now left the envelope back. For
the user it has two great advantages over the old SuisseID: it's free
and it is not time-limited. Unfortunately the downside list is a long
one and stretches from the questionable to the foolishly evil.

Firstly, we sniff the rank vapours steaming up from the backers of the
system: the Post, Swiss railways, Swisscom, big banks (UBS, Credit
Suisse, Raiffeisen, Zürcher Kantonalbank) and other financial monsters
(the Swiss Stock Exchange and Mobiliar insurance) – money has changed hands here and someone is going to make money one way or other.
Apart from ordering its subservient lackeys, the Post and the Railways, to support the
scheme, the Swiss government is keeping its head down this time round.

Secondly, we already feel the acceptance lever being applied: if you want to
buy stamps or any other online services from the Post and the Swiss Railways you will have to have
the new SwissID. The lever is doing its job: around half a million
Swiss – a large number of whom are happy to cooperate with the powers that be – have already got a SwissID.

Thirdly we come to the downright foolish, potentially evil aspects of the SwissID.
2018 was the year that IT simpletons (a.k.a. politicians) became aware of the accretion of user data that
was practised in the dark recesses of the web by shady companies with the open assistance of Google, Facebook et al.

At the moment, these organizations have to create user profiles by
cookie crunching and sophisticated pattern matching of numerous logins under numerous
identities at numerous websites. Poor lambs, how they must labour! Let's
make everything much simpler for them. Let's force the entire online
population of Switzerland to have only one identity each – how easy will that be!

With SwissID, stamp buyers, train travellers, online shoppers, online
bankers and social media users will all be brought under one shared data
umbrella.

Not only that, but the proponents of SwissID have learned from Google,
facebook and co. All the user's data will be offered by default to web
organizations. Users themselves will have to make the effort to disallow
certain data for particular sites.
Whether the organizations allow the user to do this is another matter.

The small print

SwissSign, the company behind SwissID, tells us helpfully in their FAQ
that everyone requiring a SwissID signup can get at all your data.
It tells you this by not answering the question it itself asks – who can access my data?:

You retain control over your data at all times: you determine who may
know what about you and when. In order to guarantee this, SwissID
differentiates between different trust levels. They enable you yourself
to decide which data you want to disclose to whom. You can also withdraw
approvals at any time.

The short answer to the question is therefore 'everyone'.

Those with some ID experience will burst out laughing at the response to
the question 'What happens if my SwissID account is hacked?'

SwissSign protects your data according to the highest e-banking
standards, does not pass it on to third parties without authorisation
and keeps it in Switzerland. If you suspect that your SwissID account
has been hacked, you can block this immediately.

How the first sentence of the answer is related to the question is a
mystery. Anyone who requires a SwissID login gets your data and can do
with it what they will. Passing your data on to third parties is the essence of SwissSign's business.

Those who read the Terms and Conditions
will realise that
SwissSign essentially accepts no liability for anything whatsoever,
unless you can prove negligence. As far as protecting your precious data,
the 'approval' for personal data transfer means the 'approved transfer of data which have been confirmed by the user or by third parties'.
In other words the user is required to confirm nothing: what a third party wants a third party can get. What happens after your data
has been passed to another website is an issue that remains untouched in the document.

Fourthly, the next step is even worse. The next time Swiss citizens visit the
local authority or go the the post office or want to deal with a bank,
they will be encouraged to convert their SwissID into the new E-ID
which the government has just dreamed up. The conversion will cost
money, but the goody-two-shoes of Switzerland will be happy to pay it.

The E-ID will be what the SuisseID tried to be but failed: a complete
and unambiguous identification of its owner, in effect, a digital version of the owner's passport.
Since it will now be eternally linked to its junior partner the SwissID, the entire web of
online services will be joined up under this unique identification.

Bleating our resistance

How do Swiss citizens resist this monstrous invasion of their privacy? If they are
low-level IT users there is little they can do. As usual the sheep are efficiently fleeced and kebabed
and their data will be aggregated and sold on whether they like it or not.

Those who have more IT knowledge will note that the user-key is an
email address and the SMS authentication can be replaced by a cross-off
list – that should be enough for you. The terms and conditions of use
also make interesting reading for the subversively minded. Aux armes, citoyens!